The objective of the audit/assurance review is to provide management with an independent assessment of the VPN implementation and ongoing monitoring/maintenance of the effectiveness of the supporting technology.

The audit/assurance review will focus on VPN standards, guidelines and procedures as well as the implementation and governance of these activities. The review will rely upon other operational audits of the incident management process, configuration management and security of networks and servers, security management and awareness, business continuity management, information security management, governance and management practices of IT and business units, and relationships with third parties.

It may be necessary to extend the scope of the audit/assurance review to include encryption technologies and the use of PKI. Consult the ISACA E-commerce and Public Key Infrastructure (PKI) Audit/Assurance Program for additional audit steps.

IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.